28 April, 2016
We work online. We transact online. We play online. As we conduct our lives over the Internet and become increasingly dependent on digital services, it is imperative to ensure that such services remain secure and uninterrupted, and the information that we share is protected from unauthorised access and use.
What is cyber security?
There is no universally accepted definition for “cyber security”. A casual observer will probably notice that this term is not defined in any Singapore statute, although it forms the name of the Computer Misuse and Cybersecurity Act (Cap. 50A). This is perhaps because “cyber security” is never a static concept and must evolve with changing technologies.
Broadly, “cyber” is a state of connectivity with electronic communication networks especially the Internet, in respect of computers, information technology, and virtual reality.1
In this context, “security” can be viewed as the activities that support the following three attributes:-2
(a) confidentiality , which ensures that information is only accessible by authorised individuals;
(b) integrity, which ensures that information has not been unintentionally modified; and
(c) availability, which ensures that information is readily available whenever it is needed.
For a detailed working definition on “cybersecurity”, the US National Institute of Standards and Technology (“ NIST”) refers to the term as the ability to protect or defend the use of cyberspace from cyber attacks.3
According to NIST, “cyberspace” refers to a global domain within the information environment, consisting of an interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. “Cyber attack” refers to an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment or infrastructure; or destroying the integrity of the data or stealing controlled information.4
Regardless of the nature of a cyber security incident, the interests to be protected include a combination of:-
(a) information (including personal data, financial data, trade secrets and confidential information);
(b) assets (including financial, non-financial and infrastructural assets);
(c) computer programs;
(d) computer systems; and/or
(e) communication networks.
Key laws in Singapore regulating cyber security
The Computer Misuse and Cybersecurity Act (Cap. 50A) (“CMCA”) is the primary legislation to deter computer crimes in Singapore and ensure that the use of computers and conduct of E-commerce are made secure. Among other activities, the CMCA criminalises unauthorised access, use, interception and modification of computers, data and computer services.5
As long as the affected computer, program or data was in Singapore at the material time, the extraterritorial reach of the CMCA is enforceable against any computer crime committed in Singapore or overseas.6
The CMCA also has special provisions empowering the Minister of Home Affairs toauthorise or direct any specified person or organisation to take such measures or comply with such requirements as may be necessary, to prevent, detect or counter any cyber security threats to Singapore’s defence, national security, foreign relations or essential services.7
These are wide-ranging powers. If the specified person authorised by the Minister so requires, he may direct any third party to disclose any information relating to the design, configuration, operation or security of any computer, computer program or computer service.8
The Personal Data Protection Act 2012 (“PDPA”), on the other hand, establishes a baseline regulatory framework that recognises the rights of individuals to protect their personal data and the needs of organisations to collect and use personal data.
In particular, organisations that collect or process personal data for others, are obliged to ensure that there are reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks with respect to the personal data in their possession or under their control (“the Security Obligation”).9
Unlike the CMCA that regulates individual conduct, organisations that contravene the Security Obligation of the PDPA may be liable for a maximum fine of S$1million,10 and individuals who suffer loss or damage as a result of the contravention
may also have a right of action against the organisation for relief, including damages, in civil proceedings.11
Relationship between security and privacy
The concepts of personal data protection (i.e. privacy) and security often overlap, so it is essential to understand their distinction and how one may have an effect on the other. While privacy relates to the rules and practices on acceptable collection, use and handling of personal data to maintain individuals’ trust in organisations that manage personal data,12 the concept of security is broader. At the heart of security is the protection of information, whether personal or other types of information, against unauthorised access, use, modification, destruction and disclosure (“information security”).
Information security is achieved by implementing systems and controls, which need to be monitored and reviewed, to ensure that organisational security objectives are achieved. If security is breached, then privacy controls will be ineffective.13
The actors in cyber security A primer on cyber security will be incomplete without identifying the main actors,
their motivations and their methods.
Even as identities and national borders disappear in cyberspace, the 4 categories of actors that consistently come up are individuals, hacktivists,14 organised cyber criminals, and nation states.
Singapore has witnessed several high-profile hacking exploits by individuals and hacktivists in the last few years.
In 2013, James Raj Arokiasamy, who called himself "The Messiah", hacked computer servers of at least seven organisations, including the Prime Minister's Office and the Elections Department. Among other exploits, he also accessed a server of Fuji Xerox and stole bank statements of 647 of Standard Chartered Bank’s clients.
In 2014, a group of hacktivists, who call themselves “The Knowns”, breached the membership database of K Box, a karaoke company. In their protest against the Singapore government’s plans to match Malaysia’s toll hikes at the causeway between the two countries, The Knowns leaked more than 317,000 of K Box members’ details such as mobile numbers, identification card numbers and addresses.
In 2015, Georgy Kotsaga, a Juris Doctor programme student at the Singapore Management University, accessed his law professors’ computer accounts to delete the examination scripts of his fellow classmates after realising that he may not do well for the examination.
He made use of a USB hardware keylogger to capture user IDs and passwords of his professors and classmates, thinking that he would get a chance to retake the examination by deleting the scripts.
Although there does not appear to be any widely reported news of organised cybercrime in Singapore, the sheer scale of damage following the activities of organised cybercriminals is an alarming cause for concern.
In February 2015, the Carbanak cybercrime ring struck more than 100 banks in 30 countries stealing as much as US$1 billion over a 2-year period. Carbanak managed to access account balances on internal networks and effect money transfers by tricking pre-selected bank employees into opening malicious software files. Carbanak also seized control of Automated Teller Machines (“ATMs”) remotely and ordered them to dispense cash at a pre-determined time, when a gang member
would be waiting to collect the money.15
In March this year, the Bangladesh central bank was reported to have lost US$100 million in reserves maintained at the Federal Reserve Bank of New York from the work of a group of hackers using malicious software code (“malware”) to access authentic bank SWIFT codes, where a substantial part of this amount was traced to the bank accounts of 3 casinos in Philippines, with a separate transfer of another US$870 million attempted.16
The actions of nation-states and state-sponsored actors which threaten cyber security are hardly, if ever, acknowledged or reported. It was therefore a revelation in recent proceedings before the United Kingdom’s (“UK”) Investigatory Powers Tribunal (IPT) when the UK Government Communications Headquarters (“GCHQ”) admitted, for the first time, that its agents hacked devices in the UK and abroad. The claimants, Campaigners Privacy International and seven internet service providers with UK operations, sought to challenge the actions of GCHQ as being too intrusive which contravened European law, but the tribunal was satisfied that the operations were conducted in a lawful and proportionate way.17
Their motivations
A cyber breach may be targeted at individuals, businesses, whole industries, government agencies and national infrastructures. The desired effect can be rationalised into one or more purposes, namely:-
(a) to embarrass;
(b) to send a public message, whether in furtherance of social or political goals or otherwise;
(c) to steal assets or information, including intellectual property, business information and customer data;
(d) to disrupt operations and/or destroy property;
(e) to destroy business and future earnings; and/or
(f) to cause widespread disruption and destruction.
Their methods
A variety of means may be employed. Some of the common causes of security incidents and data breaches involving electronic data are a result of:-
(a) hacking or other unauthorised access of databases;
(b) malware or hostile programs such as computer viruses and spyware;
(c) social engineering, such as phishing scams; and/or
(d) physical attacks such as use of skimming devices on ATMs.
Apart from malicious forms of attacks, poor “cyber hygiene” habits and inherent
weaknesses in systems and processes compromise security. Common issues include:
(a) accidental loss, or a failure to secure from theft, electronic devices or portable storage devices;
(b) fault or weakness in the program code of a system or device;
(c) failing to dispose of electronic or storage devices properly;
(d) weak passwords and login credentials; and
(e) document errors, such as forwarding data to incorrect recipients, publishing private data to public web servers, and carelessly disposing of confidential data.
Regardless of the preventive measures, cyber security can only be as strong as its weakest link. In this regard, outsourced service providers and small and medium-sized enterprises (SMEs) with weaker systems and processes are increasingly being exploited and used as conduits to attack higher-value enterprise targets in their supply chain.
Cyber defences
Defences against a cyberattack may take a variety of forms, including administrative measures, technical measures, physical measures, or a combination of them. They can vary from straightforward methods (e.g. a practice of changing of passwords regularly) to the use of complex technologies (e.g. encryption).
One way of understanding cyber defences is to view them in terms of layers,18 whereby:-
(a) the first layer involves blocking malicious traffic;
(b) the second layer involves defending at the frontier when the traffic reaches the environment, and before it reaches the computer servers;
and
(c) the third layer involves protection against entry into the computing devices of individuals.
Each layer of defence usually involves the four strategies of ‘Prevention’,‘Detection’, ‘Response’ and ‘Recovery’.19
Generally, ‘Prevention’ includes: (i) efforts to patch software vulnerabilities as well as ensure sufficient capacity in storage and transmission facilities; and (ii) other means to avoid an attack. As it will be impossible to prevent every attack, it becomes important to ‘Detect’ and ‘Respond’ to any threats as soon as possible, by identifying the threat and eliminating it. The ‘Recovery’ phase is then essentially to bring the service, computer server, communication network back online, including the restoration of data as soon as possible, to minimise business disruption.
The road ahead
The Singapore government has been relentless on tackling cyber security issues.
To encourage a more secure cyber environment and to develop the country as a trusted and robust info-communication hub, the five-year National Cyber Security Masterplan 2018 (NCSM2018) was launched in 2013 20 to focus on:-
(a) enhancing the security and resilience of critical info-communication infrastructure (“CII”);
(b) increasing efforts to promote the adoption of appropriate info-communication security measures among individuals and businesses, including collaborations to promote sharing of cyber threat
information; and
(c) growing Singapore’s pool of info-communication security experts.
On 1 April 2015, the Cyber Security Agency of Singapore (“CSA”) was formed to coordinate public and private-sector efforts to protect national systems, such as those in the energy and banking sectors, from cyber threats. It was reported later the same year that the Singapore government would spend up to 10 per cent of Singapore's information technology budget on cyber security, with private companies also urged to do likewise.21
With the formation of the CSA and the increased cyber threat landscape, the Minister for Communications and Information and Minister-in-charge of Cyber Security, Dr Yaacob Ibrahim, announced on 21 January 2016 that a new cyber security bill would be introduced to give the CSA greater powers to prevent and cope with cyber security threats to Singapore’s CII.22
The draft bill is not in public circulation at the time of writing, so the details of this new bill are anyone’s guess. It will be interesting to see whether the new bill will establish a baseline regulatory framework on cyber breach prevention, detection,
and response for the private sector, especially outsourced service providers supporting CII and essential services of Singapore.
Concluding thoughts
On the business end, cyber security is at a significant stage of development.
Enlightened leaders are beginning to realise that securing data and extracting value from data is increasingly part of a larger governance issue that requires a cross-functional awareness of various issues and risks, rather than simply a function of IT or other technical administration.
Information and communications technology (ICT) products and services are expected to incorporate security elements to manage malicious activity that threaten this data-driven global economy and the common global communications network in which we operate.
As organisations take on roles as stewards and trustees of data in the digital environment, the ability to understand and find new ways to address the explosion of cyber threats, including measures to mitigate the potential loss and misuse of information assets, has never been more significant.
1 Oxford Advanced Learner’s Dictionary accessed at http://www.oxforddictionaries.com/definition/learner/cyber on 7 March 2016.
2 Breaux, T. (2014) Introduction to IT Privacy – A Handbook for Technologists, International Association of Privacy Professionals, pp. 8.
3 NIST (2013) ‘ Glossary of Key Information Security Terms’ accessed at: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf on 7 March 2016.
4 Ibid.
5 Sections 3 to 8, CMCA.
6 Section 11, CMCA.
7 Section 15A(1), CMCA. The services that are considered “essential services” pertain to Singapore’s communications infrastructure, banking and finance, public utilities, public transportation, land transport infrastructure, aviation, shipping, public key infrastructure and emergency services such as police, civil defence or health services. Section 15A(12) of the CMCA.
8 Section 15A(2), CMCA.
9 Sections 24 and 4(2), PDPA.
10 Section 29(2)(d), PDPA.
11 Section 32, PDPA.
12 Singapore Parliamentary Debates, Official Report (15 October 2012), 2nd Reading of Personal Data Protection Bill,
https://sprs.parl.gov.sg/search/report.jsp?currentPubID=00078007-WA (accessed 6 March 2016) (Dr Yaacob Ibrahim, Minister for Information, Communications and the Arts).
13 Swire, P. and Ahmad, K. (2012) Foundations of Information Privacy and Data Protection – A Survey of Global Concepts, Laws and Practices, International Association of Privacy Professionals, pp. 77 and 78.
14 The Oxford Dictionaries define “ hacktivist” as a person who gains unauthorized access to computer files or networks in order to further social or political ends.
15 South China Morning Post, ‘Cybercrime ring steals US$1b from 100 banks in two-year global heist’, 16 February 2015.
16 Bloomberg Business, ‘$1 Billion Plot to Rob Fed Accounts Leads to Manila Casinos’, 10 March 2016; Reuters, ‘Malware suspected in Bangladesh bank heist: officials’, 11 March 2016.
17 Privacy International and Greennet & Others v. (1) The Secretary of State for Foreign and Commonwealth Affairs (2) The Government Communications Headquarters [2016] UKIP Trib 14_85-CH,
http://www.ipt-uk.com/docs/Privacy_Greennet_and_Sec_of_State.pdf
(accessed 12 March 2016); BBC News, ‘Tribunal rules computer hacking by GCHQ is not illegal’, 12 February 2016.
18 Singapore Parliamentary Debates, Official Report (20 January 2014), Response to questions on the Awareness for Greater Cyber Security, (accessed 12 March 2016)
https://sprs.parl.gov.sg/search/report.jsp?currentPubID=00005404-WA (Dr Yaacob Ibrahim, Minister for Communications and Information).
19 Ibid.
20 https://www.ida.gov.sg/blog/insg/featured/securing-singapores-cyber-environment/.
21 Straits Times, 7 Oct 2015, “S'pore to spend 10% of IT budget on cyber security”. http://www.straitstimes.com/singapore/spore-to-spend-10-of-it-budget-on-cyber-security.
22 http://www.straitstimes.com/politics/mcis-addendum-to-presidents-address-cyber-security-bill-to-be-introduced-nationwide-digital.
For more information, please contact:
Jack Ow, Partner, RHT Taylor Wessing
jack.ow@rhtlawtaylorwessing.com
